Free Market Seen as FISMA Alternative

A leading free market thinker proposes that technology vendors guarantee the security they build into their IT wares, but in return, the government would pay more for those technologies.

"As a large market participant, the federal government can have a good influence on the security ecology without resorting to intrusive regulation," says Jim Harper, director of information policy studies at The Cato Institute, a libertarian think tank. "Whether it creates a gold standard for security in technologies purchased in the private sector, or whether it moves the market toward contract-based liability for technology sellers, the federal government can help the technology market mature."

The federal government is among the largest purchasers of IT, and though Harper says this isn't the preferred state from his perspective, there's little reason to deny that its purchasing decisions can influence improvement in off-the-shelf technology.

Harper points out that the market for communications and computing technologies is very immature. "Many products are rushed to market without adequate security testing; many are delivered with insecure settings enabled by default," he says. "My impression also is that most are sold without any warranty of fitness for the purposes users will put them to, leaving all risk of failure with buyers who are poorly positioned to make sound security judgments."

Because of the National Institute of Standards and Technology (NIST) and other entities, Harper says, the federal government is among the most sophisticated purchasers of technology. "The government can drive maturation in the market for technology products by setting standards and defaults for the products and services it buys," he says.

And, Harper says, the federal government could insist shifting the risk of loss from the buyer - the government - to the seller - vendors and service providers because of its size, but at a price. "Federal buyers should expect to pay more if they demand fitness and security guarantees, of course, but more secure products have more value," Harper says. "Sellers will have to do more thorough development and more rigorous security testing. Because they currently bear little or no risk of loss, technology sellers will probably howl at the prospect of bearing risk, but ready to step in will be technology sellers willing to produce better, more secure, and more reliable products for the premium that gets them."

Harper suggests the shift in risk is a free market alternative to the Federal Information Security Management Act or at least as a complement to the law that governs federal government IT security.

"If the federal government knew how to do cybersecurity well, FISMA would be a to-do list that more or less secured the federal enterprise," Harper says. "We would not have the cybersecurity problem all agree we have."

Harper's comments came in prepared testimony he delivered last week to the House Science and Technology Committee's Subcommittee on Technology and Innovation.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.